Rustifying the VM Introspection Ecosystem€¦ · Wenzel/awesome-virtualization. VM Introspection....

Rustifyingthe VM

IntrospectionEcosystem

FOSDEM 2020

Mathieu TarralDorian Eikenberg

Agenda

● What is VM Introspection ?

● VMI ecosystem today

● Rustifying the VM Introspection ecosystem

● Future work

Virtualization Rust

● 2015:

○ Rust 1.0

● 2016:

○ rustyvisor

● 2017:

○ crosvm

○ Firecracker

● 2019:

○ rust-vmm

○ orange_slice

○ cloud-hypervisorWenzel/awesome-virtualization

VM Introspection

VM Introspection

“Deriving the execution context of a virtual machine, from the hypervisor interface, by

querying its hardware state, for security purposes”

VM Introspection : Concepts

Virtual Machine

Hypervisor

Virtualization layer

IntrospectionAgent

VMI API

● Intercept hardware events

○ memory access (r/w/x)

○ interrupts

■ set breakpoints ! (int 3)

○ MSR registers

○ control registers

○ etc...

● Modify hardware state

○ VCPUs registers

○ physical memory

VM Introspection : Core Strenghts

What VMI provides:

● VM hardware access

○ full system view at hypervisor-level privilege

● Interposition

○ control what hardware events to catch

○ manipulate what the OS should see of itself

VM Introspection : Scenarios

● When detectability is an issue

○ stealth malware analysis

● Need a full-system approach

○ complex debugging scenarios (nested hypervisor)

○ advanced in-kernel fuzzing

● Can’t rely on guest OS

○ to give you a view of itself

○ assuming compromised kernel

○ Unikernel (!)

VM Introspection : Complexity

Virtual Machine

Hypervisor

Virtualization layerIntrospection

Agent

VMI API

SemanticEngine

Virtual AddressTranslation

EventDispatcher

BreakpointManager


Virtual Machine

Hypervisor


Agent

VMI API

SemanticEngine


EventDispatcher

BreakpointManager

● Setup a breakpoint callback on “kernel32:WriteFile”

● Filter on process name for “cargo.exe”

● Callback: log function parameters


Virtual Machine

Hypervisor


Agent

VMI API

SemanticEngine


EventDispatcher

BreakpointManager

● Identify VM context: kernel and libraries

● Load debug symbols

● Identify current running process on VCPU


Virtual Machine

Hypervisor


Agent

VMI API

SemanticEngine


EventDispatcher

BreakpointManager

● write int3 in memory

● register interrupt callback

● write original opcode back

● singlestep


Virtual Machine

Hypervisor


Agent

VMI API

SemanticEngine


EventDispatcher

BreakpointManager

● Deliver hardware event to each registered callbacks


Virtual Machine

Hypervisor


Agent

VMI API

SemanticEngine


EventDispatcher

BreakpointManager

● Identify paging

● Walk paging structures

VMI ecosystem in 2020

VMI API: Hypervisor Support2007 2019

Community Effort Upstream integration Alternate EPT/RVI available

Xen

XenAccess LibVMI

2011

VirtualBox

Winbagility

2017

Hyper-V

LiveCloudKd

KVM

Nitro

KVM-VMI

FireEye rVMI

Bitdefender KVMi

QEMU

PyREBox

VMI Projects : Silos

PyREBox

LibVMI

icebox

LiveCloudKd

rVMI

pyvmidbg

DRAKVUF

The Idea :Unifying the ecosystem

Unifying the ecosystem

PyREBox

LibVMI

icebox

LiveCloudKd

rVMI

pyvmidbg

DRAKVUF

Unification : Constraints - Speed

PyREBox

LibVMI

icebox

LiveCloudKd

rVMI

pyvmidbg

DRAKVUF

abstraction layer == cost

Unification : Constraints - Compatibility

PyREBox

LibVMI

icebox

LiveCloudKd

rVMI

pyvmidbg

DRAKVUF

Provide a C API

Unification : Constraints - Cross-Platform

PyREBox

LibVMI

icebox

LiveCloudKd

rVMI

pyvmidbg

DRAKVUF

Be easy to maintain on Windows/Linux

Desired Quality - Memory Safety

Hypervisor


IntrospectionAgent

VMI API

Desired Quality - Memory Safety

Hypervisor


IntrospectionAgent

VMI API

Attack Surface

Unifying the ecosystem

● Speed

● C compatibility

● Cross-platform

● Memory safety

libmicrovmi : Playing lego with VMI

Unifiedlow-levelVMI API

AddressTranslation

SemanticEngine

BreakpointManager

https://github.com/Wenzel/libmicrovmi

Hypervisors

CustomHypervisor

Emulators

Dynamic Analysis● pyvmidbg● icebox● rVMI● LiveCloudKd● DECAF● PANDA● PyREBox● Drakvuf

Live-Memory Analysis● Volatility● Rekall

OS HardeningMonitoringFuzzing● ApplePie

VMI Apps

EventDispatcher

libmicrovmi

libmicrovmi : Status

● read physical memory

● r/w VCPU registers

● Subscribe on hardware events○ registers

■ mov CR0/CR3/CR4■ mov DRx■ r/w MSR

○ interrupts○ singlestep○ descriptors○ hypercalls○ memory

■ r/w/x on frame■ switch on alternate EPT views

● Utilities○ foreign memory mapping○ pagefault injection

● C API

● LibVMI integration

● Xen○ xenctrl / -sys○ xenstore / -sys○ xenforeignmemory / -sys

● KVM○ kvmi / -sys

● VirtualBox○ fdp / -sys

● Hyper-V○ vid-sys

● QEMU

Demo: mem-dump on Xen / KVM / VirtualBox

https://docs.google.com/file/d/0BxGDwm2xs-VDaGFQdXVwVkJicE5lVUJLUzRJbzUwb2lZWXhJ/preview

Demo : Intercepting context switch on KVM(CR3 events)

● Demo is running in nested virtualization

https://docs.google.com/file/d/1ZYlRPL0-7adMmc6cYMy6DVAl5PrvHz2S/preview

Future - VM Introspection

● An OS-independent hooking framework

○ Hypervisor-based intrusion detection

○ Full-system view for debuggers

○ A new layer of hardening and defense in depth

○ Snapshot-based fuzzing capabilities

● Make VM Introspection a new commodity

One Last Thing : GSoC

● We will propose libmicrovmi for the GSoC

● Part of the Honeynet organization

● Ideas

● Improve an existing driver

○ Xen / KVM / VirtualBox

● Add support for emulators

○ QEMU / Bochs / Unicorn

● Propose stealth breakpoints implementation based on EPT

● Add libloading support to rust-lang/bindgen #1541

Rustifyingthe VM

Introspectionecosystem

FOSDEM 2020 Mathieu TarralDorian Eikenberg

https://github.com/Wenzel/libmicrovmi

@mtarral@rageagainsthepc

Rustifying the VM Introspection Ecosystem€¦ · Wenzel/awesome-virtualization. VM Introspection....

Documents

Transcript of Rustifying the VM Introspection Ecosystem€¦ · Wenzel/awesome-virtualization. VM Introspection....